Role-based access control is a general security model that simplifies administration by assigning roles to users and then assigning permissions to those roles. Learn how RBAC in SELinux acts as a layer of abstraction between the user and the underlying TE model, and how the three pieces of an SELinux context (policy, kernel, and userspace) work together to enforce the RBAC and tie Linux users into the TE policy.
OK, so how many of you Fedora 8 users have switched off SELinux altogether after becoming angry at it getting in your way??!?
(raises hand..)
Show of hands — how many Windows XP users are running as Administrator instead of creating their own user account?
— Same difference — real security will require some system knowledge and appear to “get in the way”.
Edited 2008-02-19 18:29 UTC
> OK, so how many of you Fedora 8 users have switched off SELinux
[root@one ~]# cat /etc/system-release
Fedora release 8 (Werewolf)
[root@one ~]# getenforce
Enforcing
[root@one ~]#
Probably not that many, Red Hat have done a very good job of creating a good targeted policies and good admin tools where the most common things changes can be made by checking a checkbox. The only problem with their targeted policy is that it is maily targeted at services and does very little to protect desktop users.
This is not quite true. While SELinux has a more definite advantage for servers, the targeted policy already covers a number of desktop components like dbus, hal, mozilla, thunderbird, evolution, mplayer and so on.
There is however need for SELinux support in X that is happening as part of the next Xorg release as well as more user space confinement.
try using the tools redhat has developed specifically to alleviate these pains
setroubleshoot
wether you raise your hand or not:
selinux is not easy compared to apparmor; and even if you are root/administrator, you probably don’t damage your system the way it does under windows.
I know selinx and apparmor are different altogether but you can pretty much confine your system _without_ having a policy getting in your way with apparmor.
> selinux is not easy compared to apparmor
But apparmor sucks.
> selinux is not easy
Pam, /etc/security, ConsoleKit, httpd.conf etc are not easy.
Security is not easy and will never be.
Very few people know how to secure a distribution.
You can’t hope everything good, if you require the user be in charge of security aspect.
That’s right, SeLinux sucks a little. To many people disable SeLinux. Very often because they don’t know how SeLinux works and they don’t want. But many many keep SeLinux in enforcing mode. SeLinux is my expert in security. I am not a security expert. Fedora provide SeLinux configured. You don’t have to configure it. If you have to, perhaps you are doing something wrong.
http://www.redhatmagazine.com/2007/08/21/a-step-by-step-guide-to-bu…
You can disable SeLinux, you can also use the root account to avoid “problems”.
Well, there must be a reason why the entire AppArmor team has been layed off from Novell.
http://www.news.com/8301-13580_3-9796140-39.html
How are they going to support a technology with known limitations (path based) and not upstream with the Linux kernel (unlike SELinux starting with the first 2.6 release) and no staff to develop and support it?
SELinux is much more comprehensive and getting easier to use every release in Fedora while providing more tighter policies.
Selinux has been basically transparent. I haven’t got a peep out of Fedora 8 yet after the update. Dont really know its running unless you go into server config in which case you SHOULD learn it cause it could save your company someday. There have been real world situations where selinux protected against exploits in the wild. There will be reports of it again in the future.
Anyone know if the fedora-selinux people have a full policy available or is _everything_ targeted now?
In Fedora 8, there is no separate strict policy anymore. The targeted policy is enhanced progressively to cover more and more programs and add policy restrictions to avoid or limit security exploits. Starting with about a dozen in Fedora Core 3, it is now covering several hundreds in Fedora 8 with tighter policies.
The latest work is confining user space programs starting with the browser (which is very difficult to confine without getting in the way but that is the challenge)
http://danwalsh.livejournal.com/15700.html#cutid1
We have about 100 Linux servers (most Debian servers but also a few RHEL servers) at work. We switched off SELinux on our RHEL servers because it is to difficult to maintain and we had a lot of problems with SELinux. SELinux sucks.